Beware of Drupal's Administer users permission

How do I allow a user to create other users?

It’s a pretty common use case which requires a non-admin user role that can create other users for a Drupal site and I’ve frequently seen questions about how to best implement this. I recently also saw the suggestion to simply create a role with the 'Administer users' permission. At first blush, it might seem to work; if that’s the only “administer” permission they have, users with this role can only create basic users with the role “Authenticated user”, they cannot edit the user to add any other roles or upgrade their own role directly. In limited situations, this might even be appropriate.

What might not be immediately apparent, however, is that a user with this permission can edit any other user’s account… and I do mean any. This means that, if their intentions are not pure, a user with this role could easily change the password (or any other fields) on a more privileged user, even user/1, and then log into that account. Once they’ve done that, there is really no limit to what they could do to your site. Even if they have no means to add modules, ones which might be used for particularly nefarious purposes, if you have a module like Backup and migrate available, they could download your database with all sensitive user data; and even if this module is not available to them, you most likely have Views, which they could also use to harvest all user email addresses or other private data fields. And then they could easily cover their tracks, too. If they don’t do anything obvious (like deface your site or start sending spam from it), and only change the password on the admin account, you might be puzzled by why you cannot log in with your normal password, and follow the normal procedure to reset your forgotten password, then forget all about it. Meanwhile, your “user moderator” has collected lots of sensitive data from your site and still has the means to do it again one day.

There’s a module (or a few) for that!

Depending on your actual use case, which might include requirements a bit more complex than just creation of a basic “Authenticated user”, there are a number of modules which might be useful for a “user moderator” role. Some of these modules do nothing about actual creation of users, after all, probably most Drupal sites allow users to just register themselves, but deal with the related need to delegate the responsibility of giving some users additional roles beyond the “Authenticated user” role. But for sites which don’t provide self-registration, there are a couple of modules which allow non-Administrators to create new users, as well.

Role Delegation is one of the most popular such modules, used by over 8000 sites with stable releases for both Drupal 6 and Drupal 7, but it’s limited to role assignment and does not allow users without additional permissions to actually create new users.

Administer Users by Role has stable releases for Drupal 5 and Drupal 6 and allows users of a particular role to create, edit, and delete other users. In theory, it should provide limits to the “administer users” permission by allowing them to administer users with roles that you select. There is no version for Drupal 7 yet available, but a port is in progress. It’s a fairly popular module with about 2,500 users.

RoleAssign is a module with a stable release for Drupal 6 and a “release candidate” for Drupal 7 and is used by about 2,800 sites. It allows users with appropriate permissions to assign pre-defined roles to other users.

Subuser is a module available for Drupal 6 (stable) and Drupal 7 (currently in -alpha2). It is, perhaps, the most advanced and interesting of these modules, although it is not used by the most sites (currently only 282 sites). It allows for a user to be given permission to create users which that user then has permission to manage. Users not created by this “parent” user are not available for management. “Child” users can be given any of the roles which the “parent” is allowed to assign, and the role assignment can be automatic. In other words, an “editor” might create “author” users or a primary “site moderator” might create “forum moderator” users, etc. I think this module shows a lot of promise, especially since it’s written and maintained by the highly esteemed boombatower, a true “Drupal rockstar”.

User Creator is a module which will not be ported to Drupal 7 (they suggest using the aforementioned Subuser module). It allows users with particular roles to create other users with particular role limitations. The example is provided that, for a school website, a “Principal” could create other users with the roles “Teacher” or “Student” and a Teacher could create only “Student” accounts. Site administrators can determine which roles are allowed to create accounts for which other roles.

Control Access to User Settings is a module which seeks to increase the granularity for the “administer users” permission, so that user settings and user administration are separated under this permission and a site administrator can assign just a part of this permission. It has a “stable” release for Drupal 6 and a development snapshot for Drupal 7.

In short: Beware of granting excessive permissions

Be very careful (and generally avoid) granting any kind of “administer” permissions to non-Admin-role users. This article should make it clear that the “administer users” permission is one that could lead to disastrous results if given to the wrong user. While it might even be appropriate to give this permission to a very trusted “admin helper” (e.g. if you want to hide some of Drupal’s administration complexity from your partner—so want to give them some admin permissions—to avoid having them be overwhelmed by the full admin interface), you must absolutely trust such a user not to do anything to abuse the power. And then, it’s probably still best to use one of the appropriate modules, just in case you might forget and grant the same role to someone you trust less than your partner, just to allow this other person to add some new user accounts.

Hopes for the future of Drupal

As I see it, something like the Subuser modules could well be a part of Drupal core. There is almost no reason for any non-admin user to be granted the full power of “administer users”, but there are many reasons you might want to allow for a role that can at least create users and provide limited management of other users (with fewer permissions than their own). I believe some degree of this functionality would be a good thing to include in Drupal core and hope to see that in the future.

Thank you for your comment, Ben J. The Security Review module is a great place to check and make sure that your site is not compromised by lax security restrictions. I should have mentioned it as a tool to use to double-check that you haven't inadvertently given too much access to untrusted (or only partially trusted) roles.

As I'm a newbie in the world of Drupal and its settings, all these tips found here are very useful for me. So, thanks a lot for the given info. It's still not too easy for me to get acquainted with everything connected with Drupal, but I hope to cope with it one day.